I was playing with Wireshark and noticed two filters: tcp.len and tcp.data. What is the difference between the two? As far as I know, the tcp.len (length) field tells how many bytes of data travel within a segment, correct?

1 Answer
1

Simply put, tcp.len filters the length of TCP segment data in bytes, while tcp.data (or tcp.segment_data in newer versions of Wireshark) filters for the actual data (sequence of bytes) within the TCP segment data.

Example:

tcp.len == 1

Filters for TCP segment data that is exactly 1 byte in length

tcp.segment_data contains 49:27:6d:20:64:61:74:61

Filters for TCP segment data that contains the hexadecimal sequence of 49:27:6d:20:64:61:74:61